also sprach Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> [2006.07.04.1143 +0200]:
> That is false, because from connection tracking point of view a plain ACK
> packet which does not belong to any existing connections has got a state,
> which is NEW. That is why connection pickup can work.
Yeah, and so it's not INVALID. I did not know about connection
tracking, but other than that, the following two are equivalent, no?
accept ESTABLISHED,RELATED
drop INVALID
accept --dport 22
drop
and
accept ESTABLISHED,RELATED
accept --dport 22 --syn
drop
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft <madduck@debian.org>
: :' : proud Debian developer and author: http://debiansystem.info
`. `'`
`- Debian - when you have better things to do than fixing a system
"if you have built castles in the air, your work need not be lost;
that is where they should be. now put the foundations under them."
-- henry david thoreau
Attachment:
signature.asc
Description: Digital signature (GPG/PGP)